b"         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nQuick Reaction Report\n\n\n\n\n       Identification Proofing, Incident\n       Handling, and Badge Disposal\n       Procedures Needed for EPA\xe2\x80\x99s\n       Smartcard Program\n       Report No. 08-P-0267\n\n       September 16, 2008\n\x0cReport Contributors:\t                           Rudolph M. Brevard\n                                                Corey Costango\n                                                Neven Morcos\n\n\n\n\nAbbreviations\n\nEPA          U.S. Environmental Protection Agency\nEPASS        EPA Personnel Access and Security System\nFIPS         Federal Information Processing Standards\nHSPD-12      Homeland Security Presidential Directive 12\nID           Identification\nOASIS        Office of Administration Services Information System\nOIG          Office of Inspector General\nPII          Personally Identifiable Information\nPIV          Personal Identity Verification\nSMD          Security Management Division\n\x0c                         U.S. Environmental Protection Agency                                                     08-P-0267 \n\n                         Office of Inspector General                                                      September 16, 2008 \n\n\n\n\n                         At a Glance\n\n                                                                                   Catalyst for Improving the Environment\n\n\nWhy We Did This Review                  Identification Proofing, Incident Handling, and Badge\n                                        Disposal Procedures Needed for EPA\xe2\x80\x99s Smartcard Program\nThe Office of Inspector General\nperformed this review in response        What We Found\nto an inquiry related to controls\nover identification documents\n                                        Although EPA developed detailed procedures to guide the EPASS staff\xe2\x80\x99s issuance\nused for issuing the new\nU.S. Environmental Protection           of new Smartcard identification (ID) badges, an employee error in using the new ID\nAgency (EPA) Smartcard badges.          card system resulted in an EPA employee having ID documents and other\nWe performed this review as a           identifying information incorrectly associated with another EPA employee. An\nresult of a specific incident.          EPASS employee incorrectly accessed the wrong employee\xe2\x80\x99s computer record,\nWe conducted a limited review of        scanned the ID documents for the employee requesting the Smartcard, then\nEPA\xe2\x80\x99s policies and procedures           associated the scanned documents with the incorrectly accessed computer record.\nfor processing identification           Also, EPA\xe2\x80\x99s procedures for issuing ID cards lacked a vital step required by federal\ninformation collected, responding       guidance. In particular, EPA procedures did not require EPASS staff to visually\nto Smartcard badge incidents, and       inspect ID documents and compare them against the individual requesting the\nhandling of defective Smartcards.\n                                        Smartcard and the name on the accessed computer record.\nBackground\n                                        Although we did not discover more than one incident, we found that EPA lacks\nHomeland Security Presidential          procedures to ensure employees take steps to correct similar incidents when they\nDirective 12 established the            occur. Further, EPA lacks procedures for handling and disposing of defective\nrequirements for a common               Smartcard badges that contain personally identifiable information. According to\nstandard for identifying                Security Management Division managers, documenting procedures has been\ncredentials issued by federal           delayed because management attention has been focused on meeting the Office of\ndepartments and agencies to             Management and Budget deadline to roll out the EPASS program.\nfederal employees and\ncontractors. EPA instituted the         Authenticating an individual\xe2\x80\x99s identity is a critical factor for controlling physical\nEPA Personnel Access and                and logical access to EPA resources. Without taking immediate steps to correct the\nSecurity System (EPASS)\n                                        weaknesses noted, doubts will exist over whether EPA has the ability to become a\nprogram to satisfy this Directive.\nThe program is part of EPA\xe2\x80\x99s            trusted agent for verifying ID credentials as federal agencies integrate their\nlarger effort to create an              Smartcard programs.\nintegrated system to safeguard\nand manage workforce identity,           What We Recommend\nfacility access, and computer\nsystem access throughout EPA.           We recommend that the Director, Security Management Division, Office of\n                                        Administration and Resources Management:\nFor further information,                    \xe2\x80\xa2\t Update existing identification card issuing procedures to ensure the\ncontact our Office of                          procedures include all mandatory steps.\nCongressional and Public Liaison\nat (202) 566-2391.                          \xe2\x80\xa2\t Create incident-handling procedures to be used by EPASS program staff\n                                               when errors in the ID card issuing process occur.\nTo view the full report, click on the\nfollowing link:                             \xe2\x80\xa2\t Create and implement procedures for proper handling and disposal of\nwww.epa.gov/oig/reports/2008/                  defective ID badges.\n20080916-08-P-0267.pdf\n                                        The Agency agreed to implement our recommendations, and we consider the\n                                        actions planned to be satisfactory.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                        OFFICE OF\n                                                                                   INSPECTOR GENERAL\n\n\n\n\n                                       September 16, 2008\n\nMEMORANDUM\n\nSUBJECT:\t              Identification Proofing, Incident Handling, and Badge\n                       Disposal Procedures Needed for EPA\xe2\x80\x99s Smartcard Program\n                       Report No. 08-P-0267\n\n\nFROM:\t                 Patricia H. Hill\n                       Assistant Inspector General for Mission Systems\n\nTO:\t                   Wes Carpenter\n                       Director, Security Management Division\n                       Office of Administration and Resources Management\n\n\nThis report contains time-critical issues the Office of Inspector General (OIG) identified. This\nreport represents the opinion of the OIG and does not necessarily represent the final position of\nthe U.S. Environmental Protection Agency (EPA). EPA managers will make final\ndeterminations on matters in this report.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time \xe2\x80\x93 is $120,287.\n\nAction Required\n\nThe Office of Administration and Resources Management does not have to provide a response to\nthis report. The Agency\xe2\x80\x99s response to the draft report contained an adequate corrective action\nplan with milestone dates to implement the plan. Accordingly, we are closing this report on\nissuance. We have no objection to further release of this report to the public. For your\nconvenience, this report will be available at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact me at (202) 566-0893\nor brevard.rudy@epa.gov. You may also contact Neven Morcos or Corey Costango, Project\nManagers, at (202) 566-9688 or (202) 566-2552, respectively.\n\x0cIdentification Proofing, Incident Handling,                                                                                     08-P-0267\nand Badge Disposal Procedures Needed\nfor EPA\xe2\x80\x99s Smartcard Program\n\n\n\n\n                                      Table of Contents \n\n   Purpose........................................................................................................................    1     \n\n\n   Background .................................................................................................................       1     \n\n\n   Scope and Methodology.............................................................................................                 2     \n\n\n   Findings .......................................................................................................................   2     \n\n\n           EPASS Procedures Need Updating to Include All Federal Requirements...........                                              3     \n\n           Procedures Needed for Handling Smartcard Incidents ........................................                                3     \n\n           Procedures Needed for Handling Defective Badges............................................                                4     \n\n\n   Recommendations ......................................................................................................             5     \n\n\n   Agency Comments and OIG Response ....................................................................                              5     \n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                            6     \n\n\n\n\nAppendices\n   A       Agency\xe2\x80\x99s Response to Discussion Draft Report.............................................                                  7     \n\n\n   B       Distribution .........................................................................................................     9     \n\n\x0c                                                                                       08-P-0267 \n\n\n\n\nPurpose\nThe Office of Inspector General (OIG) initiated this review in response to an inquiry regarding\nthe controls over identification (ID) documents used for issuing the new Smartcard badges. We\ninitiated this review after an incident in which an U.S. Environmental Protection Agency (EPA)\nemployee went to pick up a Smartcard badge and the badge contained the employee\xe2\x80\x99s name but\nanother employee\xe2\x80\x99s image. We conducted a limited review of EPA\xe2\x80\x99s policies and procedures for\nprocessing ID information. We reviewed how EPA responds to Smartcard badge incidents and\nhow EPA handles defective Smartcard badges.\n\nBackground\nHomeland Security Presidential Directive 12 (HSPD-12) established the requirements for a\ncommon ID standard for ID credentials issued by federal departments and agencies. HSPD-12\ndirected the Department of Commerce to develop a Federal Information Processing Standards\n(FIPS) publication to define such a common ID credential that became FIPS 201. FIPS 201\nspecifies a Personal Identity Verification (PIV) system through which common ID credentials\ncan be created and later used to verify a claimed identity. The EPA Personnel Access and\nSecurity System (EPASS) Smartcard badge and the associated management program have been\ninstituted to satisfy EPA\xe2\x80\x99s compliance with HSPD-12 and FIPS 201. The EPASS program is\npart of EPA\xe2\x80\x99s larger effort to create an integrated system to safeguard and manage workforce\nidentity, physical access, and logical access throughout the Agency. EPA\xe2\x80\x99s Security\nManagement Division (SMD), in the Office of Administration and Resources Management, is\nresponsible for managing the EPASS program in compliance with all applicable authorities and\ndirectives.\n\nOperation of the Agency\xe2\x80\x99s EPASS program is outlined in two key procedure documents \xe2\x80\x93 the\nPIV Handbook and the EPASS Operation Manual. The PIV Handbook establishes EPA\xe2\x80\x99s\nstandard operating procedures for EPASS. The EPASS manual is designed to be a training\ndocument for EPASS registrars and issuers. The manual provides step-by-step descriptions for\nthe Agency\xe2\x80\x99s ID proofing, enrollment, and badge issuance processes. During ID proofing, the\nregistrar should:\n\n   1.\t Verify the applicant\xe2\x80\x99s sponsorship status in the Office of Administration Services\n       Information System (OASIS). OASIS is the authoritative source for EPASS badge\n       holder identity information and maintains the demographic data (name, individual\n       affiliation, etc.) needed to initiate a request.\n\n   2.\t Select and copy the applicant\xe2\x80\x99s name from OASIS into another application called Identix.\n       Identix is an application used during enrollment to collect an applicant\xe2\x80\x99s demographic\n       data, fingerprints, and photograph.\n\n   3.\t Verify the authenticity of the presented ID documents and that they prove the identity of\n       the applicant.\n\n\n\n\n                                               1\n\n\x0c                                                                                         08-P-0267\n\n\n\nThe enrollment process is where the applicant\xe2\x80\x99s demographic data, fingerprints, and photograph\nare collected. During badge issuance, the issuer allows the applicant to personalize the badge\nwith a personal ID number. The issuer also has the applicant perform a fingerprint check for\nverification. The Agency\xe2\x80\x99s new Smartcard ID badge contains Personally Identifiable\nInformation (PII) such as an employee\xe2\x80\x99s name, photograph, and fingerprint data. However, the\nAgency indicated that the Smartcard ID badge does not contain a Social Security number or\ncomparable identification numbers, which would be considered Sensitive PII according to EPA\xe2\x80\x99s\nPrivacy Policy.\n\nScope and Methodology\nWe conducted this audit from April through July 2008 at EPA Headquarters in Washington, DC,\nin accordance with generally accepted government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient and appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on the audit objectives. We believe the\nevidence obtained provides a reasonable basis for our findings and conclusions.\n\nWe evaluated the management control processes over EPA\xe2\x80\x99s Smartcard ID proofing and badge\nissuance processes. We reviewed the Agency\xe2\x80\x99s EPASS program procedures. We interviewed\nEPA staff responsible for overseeing the EPASS program, and EPA contractors responsible for\nthe daily operations of EPASS. We had not performed prior reviews/audits related to EPA\xe2\x80\x99s\nSmartcard ID proofing and badge issuance processes, so there were no recommendations to\nfollow up on during this audit.\n\nFindings\nAlthough EPA developed sufficient Smartcard ID card issuance procedures, we found that an\nemployee error in using the new ID card system led to an EPA employee having ID documents\nassociated with another EPA employee. An EPASS system operator accessed the wrong\nemployee\xe2\x80\x99s computer record, scanned the ID documents for the employee requesting the new ID\ncard, then associated the scanned documents with the incorrectly accessed computer record.\nAlso, EPA\xe2\x80\x99s ID card issuing procedures lacked a vital step required by federal guidance. In\nparticular, EPA procedures do not require ID proofing staff to visually inspect collected ID\ndocuments and compare them to the individual requesting the new ID card and the name of the\ncomputer record that is accessed.\n\nAlthough we did not discover more than this incident, we found that EPA lacks procedures to\nensure that if similar incidents happen again, steps are taken to correct them in a consistent\nmanner. Further, EPA lacks procedures for handling and destroying defective ID card badges\nthat contain individuals\xe2\x80\x99 ID information.\n\nSMD managers indicated that procedures have not been documented because they have focused\non meeting the Office of Management and Budget\xe2\x80\x99s deadline for rolling out the EPASS program.\nMaintaining control of defective Smartcard ID badges until they are properly disposed of is\nimportant because data on the Smartcard ID badges is PII. The Federal Government's Smartcard\nprogram is built on a chain of trust that starts with the proper verification of a card applicant\xe2\x80\x99s\n\n\n                                                2\n\n\x0c                                                                                        08-P-0267 \n\n\n\n\nidentity. ID badges are going to be uniform government-wide and will eventually be used to\naccess any Federal agency. Implementing these badges across the government will make each\nagency more individually accountable for the overall physical security of the Federal\nGovernment.\n\nEPASS Procedures Need Updating to Include All Federal Requirements\n\nEPASS program procedure documents are missing a key step in verifying a card applicant\xe2\x80\x99s\nidentity, which contributed to the ID badge incident. According to FIPS 201, when verifying a\ncard applicant\xe2\x80\x99s identity:\n\n   1.\t \xe2\x80\x9cThe PIV Registrar shall visually inspect the identification documents and authenticate\n       them as being genuine and unaltered;\n\n   2.\t \xe2\x80\x9c\xe2\x80\xa6verify the authenticity of the source document; and\n\n   3.\t \xe2\x80\x9c\xe2\x80\xa6compare the picture on the source document with the Applicant to confirm that the\n       Applicant is the holder of the identity source document.\xe2\x80\x9d\n\nNeither the PIV Handbook nor EPASS Operation Manual \xe2\x80\x93 which describe EPASS procedures\nfor ID proofing, enrollment, and badge issuance \xe2\x80\x93 includes a step for visually inspecting proof of\nidentity documents and comparing them to the applicant as part of the ID proofing process.\n\nThe current ID proofing procedures contain steps that should have allowed EPASS staff to\nrecognize the mistake made during the ID proofing process. According to the EPASS Operation\nManual, during ID proofing and enrollment, an applicant is supposed to present a valid ID before\neach process starts. At the beginning of ID proofing, the applicant presents a form of\nidentification. The applicant\xe2\x80\x99s name is then selected from OASIS and copied into Identix.\nBefore the next step (enrollment) starts, an applicant is supposed to present their identification\nagain and additional data is entered into Identix. The aforementioned ID proofing procedures\nwere additional opportunities that should have allowed the registrar or issuer to determine that\nthey selected the wrong EPA employee.\n\nProcedures Needed for Handling Smartcard Incidents\n\nEPASS program managers had not developed internal procedures to handle errors in the\nSmartcard issuance process. When EPASS program managers were alerted of the ID badge\nincident, they sought to resolve and correct the problem. EPASS managers discovered that the\nsource of the problem was in ID proofing. The two employees involved in the incident have\nsimilar last names. After collecting the sensitive employee authentication data the data was\nmistakenly saved under the wrong employee\xe2\x80\x99s name. To correct this problem, EPASS managers\ninstructed the system administrator to move and delete the sensitive employee authentication\ndata from the wrong employee\xe2\x80\x99s record and copy it into the correct employee\xe2\x80\x99s record, which\ncircumvented EPASS ID proofing procedures.\n\n\n\n\n                                                3\n\n\x0c                                                                                         08-P-0267\n\n\n\nEPASS program representatives indicated this was the first time this type of situation occurred.\nAlso, they indicated that the security controls built into the Smartcard issuance process prevented\nthe card from being issued. However, during our review, the EPASS staff could not provide us\nwith documentation that supported how they corrected the incident in question. This\ndocumentation would include what steps the EPASS staff took and when EPA management was\ninformed about the incident\n\nHaving documented procedures and records is important because they provide the framework for\nensuring EPASS staff consistently follow steps prescribed by EPA management. Further, the\nnew EPA Smartcard contains an employee\xe2\x80\x99s PII. Having documented procedures would allow\nEPASS staff to respond to a PII incident as required by EPA\xe2\x80\x99s \xe2\x80\x9cPersonally Identifiable\nInformation (PII) Incident Handling & Response Procedure.\xe2\x80\x9d This Procedure requires program\nmanagers to tailor incident response activities to meet their specific security or business\nrequirements. However, EPASS program managers had not developed internal PII incident\nresponse procedures\n\nWe found that EPASS program managers had not established procedures to monitor system\nadministrator changes to employee\xe2\x80\x99s ID records. To resolve this incident, EPASS program\nmanagers corrected the problem by having the system administrator copy, delete, and move data\nwithin the system. These types of system changes bypass the established workflow processes\nthat ensure the accurate verification of ID credentials and accurate association of these\ncredentials with the right individual. EPASS program representatives informed us that changes\nwithin the system are recorded in the system audit logs. However, these logs are currently not\nbeing reviewed.\n\nProcedures Needed for Handling Defective Badges\n\nThe EPASS program does not have procedures for handling and disposing of defective\nSmartcard badges. Since the badge of concern contained one employee\xe2\x80\x99s name and another\xe2\x80\x99s\npicture and fingerprint data, we sought to determine the status of the Smartcard badge in\nquestion. Program representatives informed us they had the badge locked in a safe until the\nEPASS staff was sure it was appropriate to dispose of it. We asked the program representatives\nif these were their usual procedures for handling similar incidents. They informed us they did\nnot have formal procedures in place because this defective badge incident was a one-time\noccurrence. Although one case does not sound significant, in the context of employee ID\nproofing and issuance, one incident could undermine the confidence individuals place in EPA\xe2\x80\x99s\nability to protect their confidentially provided PII.\n\nDuring the course of interviews, we discovered another instance where the EPASS staff cannot\nissue Smartcard badges as intended. According to EPASS representatives, when personnel come\nto pick up their ID badges they must create a personal ID number and provide a fingerprint check\nfor verification. EPASS program representatives stated it was common for a number of badges\nto not work during the fingerprint verification process. If the card did not pass the fingerprint\nverification process, the EPASS staff would not issue the defective card and would replace it\nwith a new one. At this point in the ID issuance process, these defective badges contain the\n\n\n\n\n                                                4\n\n\x0c                                                                                        08-P-0267\n\n\n\nindividual\xe2\x80\x99s name, picture, and fingerprint data. Therefore, procedures for handling, storing, and\ndisposing of these defective Smartcard badges are important in order to secure the PII on them.\n\nRecommendations\nWe recommend that the Director, Security Management Division, Office of Administration and\nResources Management:\n\n   1.\t Update existing ID card issuing procedures to ensure the procedures include all\n       mandatory steps required by FIPS 201. This should include steps to require EPASS\n       program staff to visually inspect ID documents for proper verification of the applicant\xe2\x80\x99s\n       identity.\n\n   2.\t Create incident-handling procedures to be used by EPASS program staff for recording,\n       resolving, and notifying management when errors in the ID card issuing process occur.\n       These procedures should include adopting, where applicable, EPA\xe2\x80\x99s \xe2\x80\x9cPersonally\n       Identifiable Information (PII) Incident Handling & Response Procedure.\xe2\x80\x9d These\n       procedures should also include the processes EPASS staff should use to correct employee\n       records in the EPASS system, note how the changes to system records should be\n       documented, and define a process for reviewing modified employee records for\n       authorized changes.\n\n   3.\t Create and implement procedures for the proper handling and disposing of defective ID\n       badges.\n\nAgency Comments and OIG Response\nThe Agency concurred with the report\xe2\x80\x99s recommendations and provided a corrective action plan\nto address them. We believe the Agency\xe2\x80\x99s planned actions, once completed, would adequately\naddress the report\xe2\x80\x99s recommendations. However, the Agency requested that we modify the\nreport to clarify the type of PII and fingerprint data that is stored on the new EPASS badges.\nThe Agency also requested that we modify one sentence in the report that inferred the ID card\nincident in question was the result of a wrongfully issued EPASS badge. We reviewed the\nAgency comments and, where appropriate, modified the report to use consistent language\nregarding information stored on EPASS badges and the causes for the ID card incident in\nquestion. The Agency\xe2\x80\x99s complete response is at Appendix A.\n\n\n\n\n                                                5\n\n\x0c                                                                                                                                           08-P-0267\n\n\n\n                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                                 POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                               BENEFITS (in $000s)\n\n                                                                                                                     Planned\n    Rec.    Page                                                                                                    Completion   Claimed    Agreed To\n    No.      No.                          Subject                          Status1         Action Official             Date      Amount      Amount\n\n     1        5     Update existing ID card issuing procedures to            O            Director, Security        10/15/2008\n                    ensure the procedures include all mandatory steps                   Management Division,\n                    required by FIPS 201. This should include steps to               Office of Administration and\n                    require EPASS program staff to visually inspect ID                Resources Management\n                    documents for proper verification of the applicant\xe2\x80\x99s\n                    identity.\n\n     2        5     Create incident-handling procedures to be used by        O            Director, Security        12/15/2008\n                    EPASS program staff for recording, resolving, and                   Management Division,\n                    notifying management when errors in the ID card                  Office of Administration and\n                    issuing process occur. These procedures should                    Resources Management\n                    include adopting, where applicable, EPA\xe2\x80\x99s\n                    \xe2\x80\x9cPersonally Identifiable Information (PII) Incident\n                    Handling & Response Procedure.\xe2\x80\x9d These\n                    procedures should also include the processes\n                    EPASS staff should use to correct employee\n                    records in the EPASS system, note how the\n                    changes to system records should be documented,\n                    and define a process for reviewing modified\n                    employee records for authorized changes.\n\n     3        5     Create and implement procedures for the proper           O            Director, Security        12/15/2008\n                    handling and disposing of defective ID badges.                      Management Division,\n                                                                                     Office of Administration and\n                                                                                      Resources Management\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                 6\n\n\x0c                                                                                        08-P-0267\n\n\n\n                                                                                    Appendix A\n\n\n      Agency\xe2\x80\x99s Response to Discussion Draft Report\n\n\nMEMORANDUM\n\nSUBJECT:       Response to Quick Reaction Report Discussion Draft\n\nFROM:          Renee Page, Director /s/\n               Office of Administration\n\nTO:            Rudolph M. Brevard, Director\n               Information Resources Management Assessments\n               Office of Inspector General\n\n   Thank you for the opportunity to comment on the Office of Inspector General\xe2\x80\x99s (OIG\xe2\x80\x99s)\nQuick Reaction Report Discussion Draft of July 11, 2008: Identification Proofing, Incident\nHandling, and Badge Disposal Procedures Needed for EPA\xe2\x80\x99s Smartcard Program.\n\n    The Security Management Division (SMD) concurs with the Report\xe2\x80\x99s three\nrecommendations. Our implementation plans and associated milestones are below.\n\n    Our only comments are to clarify the issue of Personally Identifiable Information (PII) on the\nEPASS badge. The Report states, \xe2\x80\x9c\xe2\x80\xa6data on the Smartcard ID badges is Personally Identifiable\nInformation\xe2\x80\x9d (p. 2); badges \xe2\x80\x9c\xe2\x80\xa6contain individuals\xe2\x80\x99 ID information\xe2\x80\x9d (p. 2); and \xe2\x80\x9c\xe2\x80\xa6the new EPA\nSmartcard contains an employee\xe2\x80\x99s PII\xe2\x80\x9d (p.4). Please note that the only PII displayed or stored on\nthe badge is the employee\xe2\x80\x99s name and photograph. The badge does not contain a Social Security\nnumber or other information considered sensitive PII, as defined by the Agency\xe2\x80\x99s Privacy Policy\n(http://www.epa.gov/privacy/policy/2151/index.htm).\n\n   The report also states that badges contain individuals\xe2\x80\x99 fingerprints (p. 4). The badge does not\ncontain fingerprints, but rather a fingerprint template, a mathematical representation of certain\nminutiae (see attached file). The template cannot be used to construct a fingerprint image.\n\n    Finally, we respectfully request the deletion or correction of one sentence: \xe2\x80\x9cWe reviewed\nhow EPA responds to incidents of wrongfully issued Smartcard badges\xe2\x80\x9d (p. 1). The incident in\nquestion and the Quick Reaction Review did not involve a wrongfully issued badge. The Report\nitself states \xe2\x80\x9c\xe2\x80\xa6the security controls built into the Smartcard issuance process prevented the card\nfrom being issued\xe2\x80\x9d (p. 3) and \xe2\x80\x9c\xe2\x80\xa6we did not discover more than the one incident\xe2\x80\x9d (\xe2\x80\x9cAt a Glance\xe2\x80\x9d\npage).\n\n\n\n\n                                                7\n\n\x0c                                                                                       08-P-0267 \n\n\n\n\n   The following is SMD\xe2\x80\x99s corrective action plan to implement OIG\xe2\x80\x99s recommendations:\n\n   1.\t Update existing ID card issuing procedures to ensure the procedures include all\n       mandatory steps required by FIPS 201. This should include steps to require EPASS\n       program staff to visually inspect ID documents for proper verification of the applicant\xe2\x80\x99s\n       identity.\n\n       SMD will update procedures to require EPASS staff to visually inspect identity\n       documents and ensure a match between any photograph and the EPASS applicant, and\n       between the name on identity documents and the name in the EPASS record.\n       Implementation milestone: Updated procedures will be in place by October 15, 2008.\n\n   2.\t Create incident-handling procedures to be used by EPASS program staff for recording,\n       resolving, and notifying management when errors in the ID card issuing process occur.\n       These procedures should include adopting, where applicable, EPA\xe2\x80\x99s \xe2\x80\x9cPersonally\n       Identifiable Information (PII) Incident Handling & Response Procedure.\xe2\x80\x9d These\n       procedures should also include the processes EPASS staff should use to correct employee\n       records in the EPASS system, note how the changes to system records should be\n       documented, and define a process for reviewing modified employee records for\n       authorized changes.\n\n       SMD will create EPASS incident-handling procedures to record, resolve, and notify\n       management of errors such as the one examined in this Report. The new procedures will\n       include processes, documentation, and guidance for correcting and reviewing employee\n       EPASS records. We will adopt portions of EPA\xe2\x80\x99s PII Incident Handling & Response\n       Procedures, as applicable. Implementation milestone: Procedures will be in place by\n       December 15, 2008.\n\n   3.\t Create and implement procedures for the proper handling and disposing of defective ID\n       badges.\n\n       SMD will create and implement procedures for handling and disposing of defective\n       EPASS badges, consistent with National Institute of Standards and Technology (NIST)\n       Special Publication 800-88, Guidelines for Media Sanitization. Implementation\n       milestone: Procedures will be in place by December 15, 2008.\n\n\n   We believe our corrective action plan and milestones meet OIG\xe2\x80\x99s requirements. If you have\nadditional questions, please contact Personnel Security Branch Chief Kelly Glazier at 202-564-\n0351.\n\nAttachment\n\n\n\n\n                                               8\n\n\x0c                                                                                 08-P-0267\n\n\n\n                                                                             Appendix B\n\n                                   Distribution\n\nOffice of the Administrator\nAssistant Administrator for Administration and Resources Management\nDirector, Office of Administration, Office of Administration and Resources Management\nDirector, Security Management Division, Office of Administration and Resources Management\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nOffice of General Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nAudit Follow-up Coordinator, Office of Administration and Resources Management\nDeputy Inspector General\n\n\n\n\n                                            9\n\n\x0c"